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SYSTEM AND METHOD FOR FACILITATING 
OPERATOR AUTHENTICATION 

BACKGROUND OF THE INVENTION 

Field of the Invention 

The invention relates generally to the field of digital data processing systems and 
more particularly to systems and methods for facilitating authentication of prospective 
operators who wish to make use of computing and other resources provided in such digi- 
tal data processing systems. The invention particularly provides a system and method 
that facilitates relatively inexpensive but reasonably secure authentication of prospective 
users for a number of such resources, such as computers, available in a network. 

Background Information 

In a number of circumstances, it is desirable to be able to authenticate an operator, 
that is, verify that the operator is who lie or she identifies him- or herself as, before al- 
lowing him or her to make access to or make use of, for example, a computer, or to ac- 
cess or make use of resources such as web pages, computing resources, applications, in- 
formation files and other types of resources which will be readily apparent to those 
skilled in the art. Several methodologies have been developed to facilitate authentication 
of an operator. In one system, referred to as a password-based authentication system, the 
operator provides not only his name or other identifier, which may be publicly known, 
but also a password, which would be known only to the operator and the system whose 
resource(s) is/are to be used. If the password provided to the system along with an access 
request matches the password known to the system for the operator identified by the 
identifier also provided with the access request, then the system would assume that the 
operator's identity has been authenticated and, if the computer or resource otherwise de- 
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termines that the operator is authorized to use the requested computer or resource, allow 
access to the requested resource. On the other hand, if the password does not match the 
password known to the system for the operator identified by the identifier, the system 
will assume that the operator's identity has not been authenticated, and may refuse to al- 

5 low access to the requested resource. 

Several problems arise with the use of passwords to authenticate operators. First, 
in order for passwords to be useful, they need to be secure. However, if an operator does 
not treat his or her password as secure, that is, if he or she allows others access to his or 
her password, the security of the password will be compromised. Accordingly, a number 

10 of systems require operators to change their passwords frequently. This can create a 
problem particularly if an operator wishes to access resources on a number of systems, 
since the operator will need to keep h:i s or her password up-to-date on each of the sys- 
tems. 

To avoid the problem of having to update passwords, authentication arrangements 

15 have been developed that issue authentication "certificates" for operators who may wish 
to access resources in a distributed arrangement. A certificate is issued by a certification 
authority, which may be affiliated with systems that provide resources that may be ac- 
cessed, or they may be third-party entities that vouch for the identity of the prospective 
operators to whom they issue certificates. 

20 For example, in an exemplary certificate-based verification arrangement, the cer- 

tificate includes operator identification information and a public key, with the corre- 
sponding private key being provided to the operator. When the operator wishes to use a 
system, he or she can provide the certificate to the system. The system, in turn, provides 
a selected value, such as a random number to the operator, who encrypts the selected 

25 value using the private key, and provides the encrypted value to the system. The system 
uses the public key from the certificate to decrypt the encrypted value. If the decrypted 
value corresponds to the original value, the system can determine that the operator has 
possession of the private key for which the public key is in the certificate. If the operator 
has suitably protected the certificate against modification and the private key against third 

30 party access, and if the system trusts the certification authority, the system can determine 
that the operator identification informal ion is associated with the operator who provided 
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it to the system, thereby authenticating the operator. Since the certificate can be provided 
to the system when the prospective operator wishes to use it, the operator need not be 
previously-identified to the system, which would be necessary in, for example, a pass- 
word-based system. This would alleviate the problems noted above in connection with 
password-based systems, since the operator need not update password information peri- 
odically on all of the systems whose lesources may be accessed. 

While certificate based systems can be more convenient and secure than pass- 
word-based systems, they can be compromised if, for example a third party obtains un- 
authorized access to an operator's private key. 

More secure arrangements make use of biometric analysis of prospective opera- 
tors. Generally, biometric devices are initially used to determine values for a predeter- 
mined set of physical characteristics f< 3r an operator and associate those values with an 
identifier for the operator. If a prospective operator wishes to use, for example, a com- 
puter, the computer would need to be provided with the previously determined initial val- 
ues for the prospective operator and a biometric device that is capable of analyzing the 
prospective operator and determine values for at least some of the same set of character- 
istics as were previously determined, eind provide them to the computer that the prospec- 
tive operator wishes to use. In additio a, the operator will provide his or her identifier to 
the computer. The computer can then compare the values received from its biometric 
device to the values determined initially for that operator. If the values compare favora- 
bly, the computer will determine that the prospective operator is authenticated, that is, 
that the person analyzed by the computer's biometric device is the person who is associ- 
ated with the identifier that he or she p rovided, and may allow the prospective operator to 
use it. On the other hand if the values that the computer's biometric device determines 
for the prospective operator do not compare favorably with the values initially deter- 
mined for the operator associated with the identifier that the prospective operator pro- 
vided to the computer, the computer can determine that the prospective operator is not 
authenticated and may, for example, net allow him or her to use it. 

Since arrangements that make use of biometrics to determine whether a prospec- 
tive operator is authenticated make use of personal characteristics of the prospective op- 
erator, they are difficult to fool. But biometrics are not secret, and therefore not obvi- 
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ously useful for network authentication. Biometrics are traditionally used only for 
authentication to a directly attached computer. Biometric devices are relatively expen- 
sive, and providing them at each computer, or even set of computers, would be relatively 
expensive. 

SUMMARY OF THE INVENTION 

The invention provides a new and improved system and method that facilitates 
relatively inexpensive but reasonably secure authentication of prospective users for a 
number of resources, such as computers, available in a network. 

In brief summary, the invention provides a system including at least one resource, 
such as a computer, and a high-securily authentication device. The high security authen- 
tication device is configured to perform an authentication operation in connection with a 
prospective operator and generate a short-term credential for the prospective operator if it 
authenticates the prospective operator. The at least one resource is configured to, in re- 
sponse to the prospective operator attempting to utilize the resource, initiate an operator 
authentication verification operation using the short-term credential to attempt to verify 
the authentication of the prospective operator. Depending on other access control poli- 
cies, as is conventional, the at least one resource can condition allowing the prospective 
operator to utilize the at least one resource based on the results of the operator authenti- 
cation verification operation. 

The invention provides an arrangement whereby a single, relatively expensive 
high-security authentication device can be used to provide authentication services for 
prospective operators for one or more resources. It will be appreciated that, since the 
high-security authentication device gives the short-term credentials to the prospective op- 
erator, they can be compromised; however, since the duration during which the creden- 
tials may be valid can be limited to a relatively short period of time, the likelihood of 
compromise and the duration that the credentials may be comprised are reduced. The 
time period during which the credentials will be valid can be selected based on any set of 
criteria, and may be anywhere from a few hours to a few days, weeks or longer based on, 
for example, the perceived likelihood that the credentials might be compromised over the 
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period during which they will be valid, the damage that might be suffered if the creden- 
tials are compromised and other criteria that a system administrator may wish to consider. 



BRIEF DESCRIPTION OF THE DRAWINGS 

This invention is pointed out Avith particularity in the appended claims. The 
above and further advantages of this invention may be better understood by referring to 
the following description taken in conjunction with the accompanying drawings, in 
which: 

Fig. 1 is a functional block diagram of a computer network including an arrange- 
ment that facilitates the inexpensive but reasonably secure authentication of prospective 
users for a number of such resources, such as computers, available in the network, in ac- 
cordance with the invention; 

Fig. 2 is a flow chart depicting operations performed by a high-security authenti- 
cation device included in the computer network in connection with the invention; and 

Fig. 3 is a flow chart depicting operations performed by a resource, in particular a 
computer, included in the computer network in connection with the invention. 
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DETAILED DESCRIPTION OF AN ILLUSTRATIVE 

EMBODIMENT 

FIG. 1 is a functional block diagram of a computer network 10 including an ar- 
5 rangement that facilitates the inexpensive but reasonably secure authentication of pro- 
spective users for a number of resources, such as computers, available in a network, in 
accordance with the invention. With reference to FIG. 1, the network 10 includes a plu- 
rality of computers 1 1(1) through 1 1(N) (generally identified by reference number 1 1(N)) 
and a high-security authentication device 12 interconnected by a communication link 13. 
10 Generally, computers 1 1(N) can be my type of computer, such as a personal computer or 
computer workstation, or other device, such as a terminal, through which an operator can 
log on to and utilize other computers zind devices (not shown) that are connected directly 
thereto or that are accessible over the communication link 13. For example, computers 
1 1(N) may include an embedded computer controlling access to a resource, such as a 
is locked room. 

The high-security authentication device 12 can include any type of device that can 
be used to authenticate a person, including, for example, a biometric authentication de- 
vice 20, a smart card reader 21 and/or other device that is capable of authenticating a pro- 
spective operator who may wish to utilize one or more of the computers 1 1(N). In addi- 

20 tion, the high-security authentication device may include one or more operator input de- 
vices such as a keypad 22 A and a media reader/writer 22B. The keypad 22 A can accept 
operator input manually provided by the operator. The media reader/writer 22B can read 
any form of computer-readable medium such as a diskette, tape, bar code or other me- 
dium that can carry information in a form that can be read by an appropriate sensing de- 

25 vice and, in addition, can store information thereon. The high-security authentication de- 
vice also includes a credential informal ion generator 23 and a credential information dis- 
tributor 24, which will be used as described below. The high security authentication de- 
vice 12 may also include a display 25 for visually displaying information. If a biometric 
authentication device 20 is provided, the device 20 can acquire biometric information 

30 comprising values that are associated with a predetermined set of physical characteristics 
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of the prospective operator, in a conventional manner. If a smart card reader 21 is pro- 
vided, the smart card reader 21 can utilize credentials that have previously been stored in 
a smart card 26 that has been issued to the prospective operator. Other types of authenti- 
cation devices, if provided instead of or in addition to the biometric authentication device 
20 and smart card reader 21, will operate in a manner associated with the respective 
authentication device to authenticate a prospective operator, in a manner that will be ap- 
parent to those skilled in the art. 

The network 10 includes an arrangement for facilitating the authentication of pro- 
spective operators by the computers 1 1(N), thereby to regulate access to the respective 
computers. Generally, instead of providing a highly secure authentication each time a 
prospective operator attempts to log on, which may normally be performed by an appa- 
ratus such as the biometric authentication device 20, and which would normally require 
such a device 20 to be provided at each computer 1 1(N), in network 10 a prospective op- 
erator periodically logs onto the high-security authentication device 12. After the high- 
security authentication device 12 has authenticated the prospective operator, it generates 
short-term credentials that may be provided both to the prospective operator and to the 
computer or computers 1 1(N) that the prospective operator is authorized to use. 

Thereafter, when the prospective operator wishes to utilize one of the computers 
1 1(N), he or she can log onto the computer 1 1(N) with his or her identifier and also pro- 
vide his or her short-term credentials to the computer 1 1(N). The computer 1 1(N), in 
turn, can identify the short-term credentials that are associated with the identifier pro- 
vided by the prospective operator and Ihereafter perform selected authentication opera- 
tions, as described below, to attempt to authenticate the prospective operator. If the com- 
puter 1 1(N) determines that the prospective operator is authenticated, and depending on 
conventional access control policies, it may allow the prospective operator to utilize the 
computer 1 1(N). On the other hand, if the computer 1 1(N) determines that the prospec- 
tive operator is not authenticated, and also depending on conventional access control 
policies, it may determine that the prospective operator is not to utilize the computer 
1 1(N). In that case, the computer 1 1(N) may additionally notify a system administrator of 
the unauthorized attempt to log onto the computer 1 1(N). 
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Since a short-term credential is preferably valid for only a short period of time, 
illustratively a few hours or days, if an operator wishes to log into a computer after the 
credential expires he or she will need to be re-authenticated by the high-security authenti- 
cation device 12, which will issue new short term credentials for him or her in a manner 

5 described above. Since only one high-security authentication device 12 is required for 
the network 1 0, the cost of the network is reduced in comparison with networks in which 
one such device is provided for each computer 1 1(N). However, providing that the cre- 
dentials that are issued by the high-security authentication device are valid for only a pre- 
determined and relatively short period of time will reduce the likelihood that they might 

10 be compromised, and, if they are, reduce the length of time that they would be compro- 
mised. 

With this background, the arrangement will be described in greater detail in con- 
nection with FIGS. 1 through 3. As noted above, initially the prospective operator will 
use the high-security authentication device 12 to authenticate himself. In that operation, 

15 the operator will make use of one or more of the biometric authentication device 20, 
smart card reader 21 and/or other devices that may be provided by the high-security 
authentication device 12 to authenticate himself. The biometric authentication device 20, 
smart card reader 21 or other authentication devices that may be provided are conven- 
tional and the operations performed thereby in connection with the authentication will be 

20 apparent to those skilled in the art and will depend on the particular type of device or de- 
vices used to perform the authentication. During the authentication operation, the 
biometric authentication device 20, smart card reader 21 and/or other devices(s) that is or 
are performing the authentication may enable visual indicia indicating the status of the 
authentication to be provided to the prospective operator by the display 25. 

25 If the biometric authentication device 20, smart card reader 21 and/or other de- 

vices^) that is or are performing the authentication determines that the prospective op- 
erator has been authenticated, it or they will so notify the credential information generator 
23, along with the identification of the prospective operator. The credential information 
generator 23 thereafter generates short-term credentials that will subsequently be used by 

30 the computers 1 1(N) to authenticate the operator. The short-term credentials generated 
by the credential information generator 23 may take any of a number of forms, including 
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one or more of a random number, a personal identification number ("PIN"), a passphrase, 
a public/private key pair, a ticket-granting ticket, a certificate, or other form that will be 
apparent to those skilled in the art. 

Alternatively, the prospective operator, using the operator input device 22, can 
choose a passphrase, PIN or other indicia and input it through the keypad 22A for use as 
the short-term credentials. As another alternative, the operator can provide, for example, 
a computer readable medium appropriate for the reader/writer 22B on which is encoded 
any of the types of information described above for use as short-term credentials, which 
can be read by the reader/writer 22B. Further, the short-term credentials may be an ex- 
isting credential format or method such as a Kerberos ticket-granting ticket. 

After the reader/writer 22B has read the information from the computer readable 
medium, it can provide the information to the credential information generator 23 for use 
as the short-term credentials. In any case, the short-term credentials as generated by the 
credential information generator 24 may also include expiration information, which may 
include, for example a time stamp indicating the time at which the short-term credentials 
were generated, in which case the computer or computers 1 1(N) that receive the short- 
term credentials may determine an expiration time as being a predetermined time period 
from the time indicated by the time stamp. Alternatively, the time stamp provided by the 
credential information generator 24 may indicate the point in time at which they are to 
expire. As a further alternative, the computers 1 1 (N) that receive the message packets 
including the credentials can determine the time at which they expire based on the time(s) 
they were transmitted to the computers 1 1(N) or the time(s) that they were received by 
the computers 1 1(N). As a further alternative, the credential may have an intrinsic time 
limit, for example, being a function of the time of day. 

After the credential information generator 23 has generated the short-term cre- 
dentials, it provides them, along with the prospective operator's identifier, to the creden- 
tial information distributor 24 to be distributed to the computers 1 1(N). The credential 
information distributor 24 may distribute the short-term credentials to all of the comput- 
ers 1 1(N), or, if the operator is only authorized to utilize selected ones of the computers 
1 1(N), to the subset of computers 1 1(N) that the operator is authenticated to utilize. In 
that operation, the credential information distributor 24 can package the short-term cre- 
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dentials into message packets that are transmitted over the communication link 13 to 
various computers 1 1(N). Preferably, the credential information distributor 24 will 
transmit the message packets in such a manner that (i) the short-term credentials in the 
message packets will be secure against third party interception, and (ii) if a third party 
5 attempts to transmit message packets containing purported credentials to the computers 
1 1(N), the computer 1 1(N) will reject them. This secure transmission can be accom- 
plished in several ways. For example, the credential information distributor 24 can es- 
tablish a secure channel over the communication link 13 with each of the computers over 
which it transmits the message packets. Alternatively, the credential information dis- 

10 tributor 24 can forward the short-term credentials, in a message packet over a single se- 
cure channel, to a centralized account management facility 14 that may distribute the 
short-term credentials to the respective computers 1 1(N), preferably over secure chan- 
nels. Other alternatives will be apparent to those skilled in the art. 

In addition, if the operator did not provide the credentials him- or herself, the cre- 
15 dential information generator 23 provides short-term credentials to the prospective op- 
erator. This can be accomplished in a number of ways. For example, the credential in- 
formation generator 23 can enable the short-term credentials to be printed on paper. 

Alternatively, the credential information generator 23 can just enable the display 
25 to display the short-term credentials to the prospective operator and require him or her 
20 to memorize them. As a further alternative, the credential information generator 23 can 
provide the short-term credentials in a machine readable form, such as a smart card, 
floppy disk, magnetic stripe or the like that can be read by an appropriate reader (not 
separately shown) provided by the respective computers 1 1(N). It will be appreciated 
that, if the short-term credentials comprise a random number, passphrase, or PIN, the 
25 credential information generator 23 can provide the same credentials to the operator as it 
gave to the credential information distributor 24. 

Alternatively, if the credential is a function of the time at which it was issued, the 
credential can be verified by the computer 1 1 (N) without any extra communication with 
the distributor 24. 

30 On the other hand, if the credenlials comprise a public key/private key pair, the 

credential information generator 23 may provide the private key to the potential operator 
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and the public key to the computers 1 1 (N). Alternatively; or in addition, the public key 
may be provided in a certificate that has been signed by the credential information gen- 
erator 23 using its public key and provided to the computers 1 1 (N) in a manner similar to 
that described above. And/or the public key certificate may be provided to the prospec- 
tive operator on, for example, a suitable computer-readable medium. 

After the short-term credentials have been provided to the computers 1 1(N) 
and/or prospective operator, if the prospective operator wishes to utilize a computer 
1 1(N) during the period of time for which the credentials are valid, he or she can log onto 
the computer 1 1(N) and provide his or her identification and short-term credentials. The 
computer 1 1(N), before it allows the prospective operator to use it, will perform an 
authentication operation determined from the credentials as provided by the operator, the 
credentials as provided by the high-security authentication device 12, the identification 
provided by the operator, and/or possibly other information as described below, to deter- 
mine if the operator is authenticated. 

If the computer 1 1 (N) determines that the prospective operator has been authenti- 
cated, depending on other access control policies, as will be appreciated by those skilled 
in the art, the computer 1 1(N) can determine whether the prospective operator is author- 
ized to use the computer 1 1 (N). In cojinection with the authentication operation, if the 
credentials are, for example, a random number, passphrase, PIN or the like, the computer 
1 1(N) may need to merely compare the short-term credentials as received from the pro- 
spective operator to the credentials as received from the high-security authentication de- 
vice 12 to determine whether the operator is authenticated. 

Alternatively, the computer may compute and verify the short-term credential as a 
function of some combination of a secret shared with the credential generator, and, for 
example, the time, the operator's name, a PIN the operator supplies, the computer's iden- 
tity, etc. 

Further, in some cases the computer 1 1(N) does not need a separate credential 
from the credential generator to compare to the credential presented by the prospective 
operator. Cases in which the computer 1 1(N) does not need a separate credential from 
the credential generator to compare to the credential presented by the prospective opera- 
tor comprise: 
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1 . The credential presented by the prospective operator has been signed using the 
public key of the credential operator, and the public key of the credential operator is pos- 
sessed by the computer 1 1 (N), or may be obtained in a secure manner. 

2. The credential presented by the prospective operator has been encrypted using 
a secret shared by the credential generator and the computer 1 1(N). 

3. The credential presented by the prospective operator has been encrypted using 
a secret shared by the computer 1 1(N) and by a third party that computer 1 1(N) trusts to 
authenticate information from the credential generator. 

As a further alternative, if the short-term credentials comprise a public key/private 
key pair, the computer 1 1(N) may, for example, generate a random number which it pro- 
vides to the prospective operator. The; prospective operator, in turn, can encrypt the ran- 
dom number using his or her private key, and provide the encrypted random number to 
the computer 1 1 (N). The computer 1 1 (N), in turn, will use the public key to decrypt the 
encrypted random number received from the prospective operator and compare the de- 
crypted random number to the random number that had been provided to the prospective 
operator. If the decrypted random number corresponds to the random number, the com- 
puter 1 1(N) can conclude that the prospective operator is authenticated. 

In any case, if the computer 1 1(N) determines that prospective operator is authen- 
ticated, and depending on conventional access control policies, the computer 1 1(N) may 
allow the prospective operator to use computer 1 1(N). On the other hand, if the computer 
determines that the short-term credentials have expired, or that the prospective operator is 
not authenticated, and also depending on the access control policies, the computer may 
determine that the prospective operator is not authorized to use the computer 1 1(N). If 
the computer 1 1(N) determines that the prospective operator is not authorized to use it, 
computer 1 1(N) may, for example not allow the prospective operator to utilize it. Alter- 
natively, the computer 1 1(N) may, for example notify a system administrator, who may 
determine whether the usage should be allowed and either allow the prospective operator 
to utilize it, or not, based on the system administrator's determination. 

Instead of the high-security authentication device 12 providing the short-term 
credentials to the computers 1 1(N), the high-security authentication device 12 or the cen- 
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tralized account management facility 14 may retain them. In that case, when the pro- 
spective operator attempts to log onto a computer 1 1(N), the computer 1 1(N) can transmit 
the short-term credentials input by the prospective operator, along with the operator 
identification value provided by the prospective operator, to the high-security authentica- 

5 tion device 12 or centralized account management facility 14, preferably over a secure 
channel over communication link 13. In that case, the high-security authentication device 
12 or centralized account management facility 14 will perform the operations described 
above as being performed by the computer 1 1(N) to authenticate the prospective opera- 
tor. If the high-security authentication device 12 or centralized management facility de- 

10 termines that the prospective operator is authenticated, and if the credentials have not ex- 
pired, it can transmit a token to the computer 1 1(N) that, in turn, will enable the computer 
1 1(N) to allow the operator to utilize it. 

With this background, operations performed by the high-security authentication 
device 12 and a computer in connection with the invention will be described in connec- 

15 tion with flow charts in FIGS. 2 and 3 respectively. In the following, it will be assumed 
that the high-security authentication device 12 distributes the credentials to the computers 
1 1(N), and that the computers 1 1(N) perform the operations to authenticate the prospec- 
tive operator. In addition, it will be assumed that authentication is performed by 
biometric authentication device 20. Operations performed if authentication is performed 

20 by other types of devices will be appar ent to those skilled in the art. Accordingly, with 
reference to FIG. 2, when a prospective operator wishes to obtain short-term credentials 
for him- or herself, he or she enables the high-security authentication device 12, in par- 
ticular, the biometric authentication device 20, to initially authenticate him or herself, in 
the process providing an identifier for 1he prospective operator (step 100). If the 

25 biometric authentication device 20 is successful in authenticating the prospective operator 
(step 101), it provides a notification to the credential information generator 23 along with 
the prospective operator's identifier (step 102) to enable the credential information gen- 
erator 23 to generate the credentials for the prospective operator. 

After the credential information generator 23 has generated the short-term cre- 

30 dentials for the prospective operator (step 103), it provides the short-term credentials, 
along with the prospective operator's identifier, to the credential information distributor 
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24, which generates message packets including the short-term credentials and operator 
identifier for transmission to the computers 1 1(N) that the prospective operator will be 
authorized to utilize (step 104) and transmits the message packets through secure chan- 
nels over the communication link 13 (step 105). 
5 In addition, the credential information generator 23 provides the generated cre- 

dentials to the prospective operator (step 106). It will be appreciated that, in performing 
step 106, the credential information generator 23 may provide the generated credentials 
in one or more of a number of forms, including paper hardcopy, display to the prospec- 
tive operator using display 25, recording the credentials onto an appropriate medium us- 

10 ing the media reader/writer 22B, and/or any other arrangement for providing the short 
term credentials to the prospective operator. 

Returning to step 101, if the biometric authentication device 20 is unsuccessful in 
authenticating the prospective operator, it can enable the display 25 to display a suitable 
notice to the prospective operator (step 107). In addition, it can generate an appropriate 

is notification for transmission to a system administrator (step 1 08). 

As noted above, and with reference to step 103, if the prospective operator pro- 
vides the short-term credentials him- or herself, in the form of, for example, a passphrase 
or PIN, he or she can input the passphrase or PIN through the keypad 22A, which the 
credential information generator 23 can utilize. On the other hand, if the prospective op- 

20 erator provides short term credentials recorded on a computer-readable medium such as a 
smart card, magnetic strip or the like, the credential information generator 23 can enable 
the smart card reader 21 to retrieve the credential information from the smart card or the 
media reader/writer 22B to retrieve the credential information from the computer- 
readable medium. 

25 As noted above, and with reference to step 105, if, instead of the high-security 

authentication device 12 providing the short-term credentials to the computers 1 1(N), it 
provides them to a centralized account management facility 14, the high security authen- 
tication device 12, instead of transmittitig the short-term credentials to the computers 
1 1(N), will transmit the short-term credentials to the centralized account management 

30 facility 14, preferably over a secure channel over the communication link 13. Thereafter, 
if the short term credentials are to be provided to the computers, the centralized account 
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management facility 14 can distribute them to the computers 1 1(N) that the prospective 
operator is authorized to use. 

FIG. 3 is a flow chart depicting operations performed by a computer 1 1(N) in 
connection with authenticating a prospective operator. In the following, it will be as- 
sumed that the short-term credentials are distributed to the computers 1 1(N) and that the 
computers process the distributed short-term credentials and credentials as provided by 
the prospective operator in authenticating the prospective operator. With reference to 
FIG. 3, the prospective operator will initially log on, and in that operation will provide his 
or her identifier and the short term credentials (step 120). 

Thereafter, the computer 1 1(N) will initially determine whether it has short-term 
credentials for the operator identifier provided by the operator in step 120 (step 121). If 
the computer 1 1(N) makes a positive determination in step 121, it will then determine 
whether the short-term credentials that it has for the operator identifier provided by the 
operator are still valid, that is, that they have not expired (step 122). If the computer 
makes a positive determination in step- 122, it will process the short-term credentials as 
provided by the operator in step 120 in relation to the short-term credentials as provided 
by the high-security authentication device 12 in step 105 for the identifier that was pro- 
vided by the prospective operator in step 120, to determine whether the short-term cre- 
dentials correspond (step 123). 

If the computer 1 1(N) makes a positive determination in step 123, that is, if it de- 
termines that the short-term credentials provided by the prospective operator correspond 
to the short-term credentials as provided by the high-security authentication device 12, 
the computer 1 1(N) can allow the pros pective operator to utilize it as an operator (step 
124). 

Returning to step 121, 122 or 123, if the computer 1 1(N) makes a negative deter- 
mination in any of those steps, that is, if it determines in step 121 that it does not have 
short-term credentials for the operator identifier provided by the operator in step 120, or 
if it determines in step 122 that the short-term credentials that it does have for the identi- 
fier have expired, or if it determines in step 123 that the short-term credentials provided 
by the prospective operator do not correspond to the short-term credentials as provided 
by the high-security authentication device 12, the computer 1 1(N) may not allow the pro- 
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spective operator to utilize it as an operator (step 125). On the other hand, as noted 
above, instead of disallowing utilizat ion, the computer 1 1(N) may interrogate a system 
administrator as to how to proceed, and may allow or disallow utilization as the system 
administrator determines. 

As described above, and with reference to step 123, the particular operations per- 
formed by the computer 1 1(N) in determining whether the short-term credentials pro- 
vided by the prospective operator in step 120 correspond to the short-term credentials as 
provided by the high-security authentication device in step 105 will depend on the nature 
of the short term credentials. 

For example, if the short-term credentials are in the form of a random number, 
passphrase, or PIN, the computer 1 1(N) can compare the short term credentials as re- 
ceived from the high security authentication device 12 to the short-term credentials as 
provided by the prospective operator, and, if they are identical, determine that the two 
credentials correspond. 

On the other hand, if the short- term credentials are in the form of a public 
key/private key pair, the computer 1 1(N) can determine that the short-term credentials 
correspond by the following four steps: generating a random number; transmitting the 
random number to the prospective operator; having the prospective operator encrypt the 
number using the private key; and, having the prospective operator transmit the results 
back to the computer 1 1(N). The computer 1 1(N) then decrypts the encrypted value, and 
compares the original value to the deciypted value. If the original and the decrypted val- 
ues correspond, the computer 1 1(N) can determine that the short -term credentials corre- 
spond. Methodologies by which the computers 1 1 (N) may determine that the short-term 
credentials correspond for other types of short-term credentials will be based on the types 
of short-term credentials, and will be a pparent to those skilled in the art. 

Operations described above in connection with FIG. 3 assume that the computer 
1 1(N), the computer which the operator wishes to utilize, determines whether short-term 
credentials exist for the prospective operator (step 121), whether the short-term creden- 
tials have expired (step 122), and whether the short-term credentials provided by the pro- 
spective operator in step 120 correspond to the short-term credentials as provided by the 
high-security authentication device in step 105. It will be appreciated that if, for exam- 
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pie, the high-security authentication device 12 is to perform these operations, the com- 
puter 1 1(N) can forward the short-term credentials along with the identifier of the pro- 
spective operator to the high-security authentication device 12, preferably over a secure 
channel over communication link 13, which, in turn, can perform the operations de- 

s scribed above in connection with steps 121 through 123. The high-security authentica- 
tion device 12 can return the information to the computer 1 1(N) indicating the results of 
the operations. Similarly, if the centralized account management facility 14 is to perform 
these operations, the computer 1 1(N) can forward the identifier and credentials that it re- 
ceives from the prospective operator to the centralized account management facility 14, 

10 which will perform corresponding operations. 

In addition, in operations described above in connection with FIG. 3, it was as- 
sumed that the short-term credentials are distributed to the computers 1 1(N) and that the 
computers process the distributed short-term credentials and credentials as provided by 
the prospective operator in authenticating the prospective operator. It will be appreciated 

15 that, if the short-term credentials are provided in, for example, a certificate provided by 
the operator, the computer 1 1(N) need only make use of the short-term credentials that 
are in the certificate, as described above. In this case, the computers 1 1(N) do not need to 
be connected via a network. 

The invention provides a numb er of advantages. In particular, the invention pro- 

20 vides an arrangement whereby a single:, relatively expensive high-security authentication 
device 12 can be used to provide authentication services for prospective operators for a 
number of computers 1 1(N). It will be appreciated that, since the high-security authenti- 
cation device 12 gives the short-term credentials to the prospective operator, they can be 
compromised; however, since the credentials are only valid for a relatively limited period 

25 of time, the likelihood of compromise md the duration that the credentials may be com- 
prised are reduced. The time period during which the credentials will be valid can be se- 
lected based on any set of criteria, and may be anywhere from a few hours to a few days, 
weeks or longer based on, for example, the perceived likelihood that the credentials 
might be compromised over the period during which they will be valid, the damage that 

30 might be suffered if the credentials are compromised and other criteria that a system ad- 
ministrator may wish to consider. 

17 

\\CHEETAHWOLl\CLffiNTS\l 12\047\0050\Prosecut\edited dec 7 PATAPP.doc 12/07/01 2:35 PM 



PATENT 
112047-0050 

It will be appreciated that numerous modifications may be made to the arrange- 
ment described above. For example, if the high-security authentication device 12 pro- 
vides a certificate to the prospective operator that has been signed by the high-security 
authentication device 12, when the prospective operator wishes to log onto a computer 
1 1(N), all the computer 1 1(N) may need to do is to verify the signature in a conventional 
manner and, if the signature is verified and the certificate has not expired allow the pro- 
spective operator to utilize it. 

Furthermore, although the network 10 has been described as comprising comput- 
ers 1 1(N) that a prospective operator may wish to utilize, it will be appreciated that the 
network 10 may include other kinds of resources and devices instead of or in addition to 
computers that a prospective operator may wish to utilize, which may perform operations 
similar to those described above in co inection with computers 1 1(N) to determine 
whether the prospective operator should be allowed to utilize it. 

In addition, although the system 10 has been described such that the high-security 
authentication device 12 distributes short-term credentials to the computers 1 1(N) for use 
during an authentication operation, it will be appreciated that, during an authentication 
operation by a computer 1 1(N), the computer 1 1(N) can instead request a copy of the 
short-term credentials from the high-security authentication device 12 or centralized ac- 
count management facility 14. 

In addition, the high-security authentication device 12, instead of or in addition to 
authenticating the prospective operator based on his or her identity, can authenticate the 
prospective operator based on other criteria, such as sobriety, blood pressure, weight, ra- 
diation emission, credit worthiness, and/or other personal characteristics of the prospec- 
tive user. In that case, the high-security authentication device 12 may be provided with 
such apparatus as a breath analyzer to measure the prospective operator's sobriety, a 
blood pressure tester to measure the prospective operator's blood pressure, a radiation 
detector to detect gamma or beta ray emissions, etc. from emission by radioactive mate- 
rial to measure the prospective user's emission of radiation (radioactive emission may be 
due to either accidental contamination or medical administration, etc.), an arrangement 
for obtaining information as to the prospective user's credit worthiness, and/or other suit- 
able arrangements for checking other respective personal characteristics. The credit 
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worthiness determination may be made by, for example, a system administrator after in- 
terrogating a credit database, or by the high-security authentication device 12 after inter- 
rogating the credit database based on criteria provided by a system administrator. Other 
personal characteristics that might be useful in connection with conditioning usage of the 
computers 1 1(N) will be apparent to those skilled in the art, as will arrangements for 
analyzing those characteristics and determining whether a prospective operator should be 
allowed to use them. 

In addition, where the term authentication has been used, a broader concept where 
it is determined that a prospective operator has certain attributes can be used. The attrib- 
utes could be attributes required to access the resources. 

The foregoing description has been limited to a specific embodiment of this in- 
vention. It will be apparent, however, that various variations and modifications may be 
made to the invention, with the attainment of some or all of the advantages of the inven- 
tion. It is the object of the appended claims to cover these and such other variations and 
modifications as come within the true spirit and scope of the invention. 

What is claimed is: 
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